PUBLIC COMMENTS extended UNTIL 6/7/19

How to make a comment to the Election Assistance Commission

The Election Assistance Commission is responsible for setting the Voluntary Voting System Guidelines that determine many factors in how we vote. They are currently approving the new guidelines called the VVSG 2.0. Although these guidelines are an improvement, they have serious omissions that will undermine their ability to guarantee that all votes are counted as cast. We ask that you send this letter, or your own version of it to the EAC by 5pm EST on 6/7/19.

I welcome the new VVSG 2.0 as a significant improvement to the current voting system guidelines. However as drafted, the VVSG 2.0 provides inadequate security and will not be able to assure voters that their votes are being counted as cast. This may be due in part to reliance on the advice of voting system vendors, who have not historically shown a commitment to election security.

I ask that you make sure that all systems approved by the VVSG 2.0 meet the following standards:

NO APPROVED VOTING SYSTEM WILL :

1. allow Direct Record Electronic voting, even with a voter-verified paper audit trail. Studies have shown that voters do not verify paper audit trails from DRE machines and we need to move away from this system.

2. allow a ballot-marking device to act as a direct-record electronic system by allowing a vote to be recorded to computer memory or printed on a ballot without review by the voter - sometimes called "Permission to Cheat" mode."

3. have a modem, allow remote, wireless or internet access; or connect even incidentally to any computer or network that has been connected to a public network.
4. allow the technical opportunity for a machine to change a voter's selections on a ballot, after the voter has cast it – even if the machine is under the control of malware. It may be useful for some component of a voting system to print a unique identifier on a ballot, once the ballot is anonymous. But that capability must never allow voter selections to be impacted.
5. be a hybrid machine – with a printer and a scanner in the same path.

6. encode votes using barcodes or QR codes.

7. allow weighted election functions that use decimal counting methods. Votes must be counted as whole numbers.
8. allow "recallable ballot" provisions that enable the identification of a specific voter’s ballot after it is cast. Once a ballot is recorded it must never be recallable.

ALL APPROVED VOTING SYSTEMS WILL

9. provide a durable paper ballot to be marked by hand by all voters who are capable. A paper ballot created by a machine is not sufficient.

10. provide accommodations for voters with disabilities that allow them to vote privately, independently and comfortably.

11. require testing and public opportunities for comment on all systems by voters with disabilities and disability advocates for a minimum of 45 days.

12. require testing and public opportunities for comment by the general public and independent security experts for a minimum of 45 day.

13. use durable paper known to retain a quality image for the 22 months required by HAVA, not thermal paper.

14. support the ability to have an accurate hand-counted audit of a trusted audit trail. An audit trail that can be compromised by a malware attack will not qualify as a trusted audit trail.

15. require that digital ballot images, cast vote records (CVRs), and the spreadsheets containing CVRs that are generated by digital scan voting systems will all be designated as "archival" public records that must be preserved for 22 months following a federal election. None of these items should be designated as "transient" materials.

The EAC must create a panel of technical election security experts, separate from NIST staff, with no financial relationship to vendors and no financial interest in emerging systems. The EAC needs to take input on the VVSG 2.0, and future policies from this panel - and other non-vested security experts on an ongoing basis. The EAC must stop its primary reliance on vendors and their representatives for technical guidance. This is a conflict of interest, and is undermining the ability of the EAC to create robust security protocols for our elections.

The EAC must set and meet the goal that by the end of 2022 40% of the Technical Guidance Development Committee will be made up of technologists and individuals with technology expertise.